7.9 PKIX support

  • 7.9.5 CAServer

    Refer the caserver.xml for the details.


    • OcspServer element

      7 attributes:

      port:specifies the HTTP service running port 80 of the OCSPServer, which is bound to all network interfaces.

      nextUpdateDelay:the number of days for next update. This attribute is used to set the nextUpdate information in the Ocsp response, and also determine the generation cycle of CRL list.

      certificateAlgorithm:the public key algorithm used by CAServer when automatically signing the Ocsp signature certificate.

      certificateLifetime:the life with the day as unit used by CAServer when automatically signing the Ocsp signature certificate.

      signatureBits:the bit number of the Ocsp response signature, and the legal values are 256, 384, and 512.

      responseCacheCapacity:each Ocsp response requires the Ocsp certificate signature. In order to improve the performance, the cache must be provided. The cache is designed as LruCache with 32 partitions, and this parameter configures the total capacity to response cache.

      ocspStore:configures the path of ocsp storage directory.

      ocspStore management:

      • 1. In the ocspStore directory, the CA subdirectory is distinguished by the CA’s serialNumer, and the certificate in each subdirectory is named as "certSerialNumber"."certNotAfter"."revocationTime".cer, where the certSerialNumber is the serial number of the revoked certificate, and the certNotAfter is the expiration time of the revoked certificate, and the revocationTime is the revoke time.

      • 2. The expired revoked certificate is automatically deleted from the corresponding CA subdirectory. If the CA is expired, the entire subdirectory is automatically deleted.

      • 3. The ocspStore directory itself is monitored. If there is new file in the directory, this file is recognized as a certificate which needs to be revoked to be distinguished. The file will be revoked and then deleted if success, or directly deleted. Note: the certificate which is expected to be revoked should first be created in other location within the same file system, and then MOVE to ocspStore, but not COPY because COPY has a writing process. The file is immediately monitored when creating. When the recognization operation is performed, the writing process may not complete, which results in the recogniation failure. The file is directly deleted and the revoke operation is ignored.

      • 4. The CA subdirectory in the ocspStore directory is monitored. If a revoked certificate file is deleted, the Recall operation is automatically performed.

      • 5. The management of the monitored directory is mainly provided to independent OcspServer to use. In the CAServer, the management page is used to perform the Revoke and Recall operations.

      When CAServer launches, it automatically issues the Ocsp signature certificate for this service. And when the certificate will be expired, it will be automatically renew.


    • CertUpdateServer element

      4 attributes:

      port:specifies the HTTPS service running port 443 of CertUpdateServer, which is bound on all network interfaces.

      renewLifespanPercent:after the certificate life passes this percentage, the Renew operation will be performed, to avoid the client side frequent renew which increases the server load.

      certificateAlgorithm:the public key algorithm used by CAServer when automatically signing the HTTPS server certificate.

      certificateLifetime:the life with the day as unit used by CAServer when automatically signing the HTTPS server certificate.


      When CAServer is launched, it automatically signs the HTTPS server certificate for this server. When the certificate will expire, the server automatically renews the certificate and restarts the service. This server only accepts the Renew request from the certificates signed by the same CAServer. The Revoked certificate can not be Renewed because of failed verification.


    • Trace element

      Same as the other Limax service configuration. Please refer the Operation Management Configuration section in the manual.

  • 7.9.6 OcspServer

    Independent running OcspServer.

    The ROOTCA runs offline, so the independent OcspServer must be launched to issue the CA status signed by this ROOTCA.


    • OcspServer top layer element

      9 attributes:

      domain:specifies the server domain name of this OcspServer running.

      location:the location of Ocsp signature certification

      passphrase:the password to enable the private key of location. In actual operation, this property should not be used and should be input during the server launching.

      cRLFile:the path of CRL file signed by ROOTCA.

      port,nextUpdateDelay,signatureBits,responseCacheCapacity,ocspStore:the descriptions of these 5 attributes are described in the OcspServer element of the CAServer section.


    • Trace element

      Same as the other Limax service configuration. Please refer the Operation Management Configuration section in the manual.

  • 7.9.7 Example of commands corresponding to the test configuration

    Enter 123456 in all password prompts.


    • Create and run ROOTCA

      • 1. Sign ROOTCA


        java -jar limax.jar pkix initroot "file:ca@/work/pkix/root#rsa/2048/256" "dc=limax-project,dc=org" "20100101" "20500101"

      • 2. Sign the Ocsp signature certificate issued by ROOTCA


        java -jar limax.jar pkix initocsp "file:ca@/work/pkix/root" "pkcs12:/work/pkix/root/ocsp.p12#rsa/2048" "cn=OCSP Responder,dc=limax-project,dc=org" "20170101" "20200101"

      • 3. Initiate CRL of ROOTCA


        java -jar limax.jar pkix gencrl "file:ca@/work/pkix/root" /work/pkix/root/ca.crl 20171001

      • 4. Configure the domain name server, resolve the root.limax-project.org to the IP of the machine which runs the independent OcspServer, and then run OcspServer.


        java -jar limax.jar pkix ocsp ocspserver.xml

    • Sign and run CAServer (sign the first CA and use it several times, then sign the second CA)

      • 1. Use ROOTCA to sign the first CA


        java -jar limax.jar pkix initca "file:ca@/work/pkix/root" "pkcs12:/work/pkix/ca/ca0.p12#ec/256" "dc=ca,dc=limax-project,dc=org" "20150101" "20200101" "root.limax-project.org"

      • 2. Use ROOTCA to sign the second CA (the same as subject)


        java -jar limax.jar pkix initca "file:ca@/work/pkix/root" "pkcs12:/work/pkix/ca/ca1.p12#rsa/2048" "dc=ca,dc=limax-project,dc=org" "20170101" "20300101" "root.limax-project.org"

      • 3. Configure the domain name server, and resolve ca.limax-project.org to the IP of the machine which runs CAServer.


        java –jar limax.jar pkix ca caserver.xml

      • 4. Copy the generated authcode.jar in current directory and use it in the certificate management page.


Prev Next